Method for the secure operation of an electronic consumption data module and consumption data module

ABSTRACT

A method for operating an electronic consumption data module. Consumption data are transmitted via a communication system to a receiver, and different keys are provided for different software authorizations. Command authorizations are defined as software authorizations in the consumption data module. A consumption data module has a memory, a control and/or regulating unit, and a communication device for the consumption data transmission. Different keys are provided for different software authorizations, and the command authorizations are defined as software authorizations in the consumption data module. The consumption data module is operable by the method.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims the priority, under 35 U.S.C. § 119, of Germanapplication DE 10 2018 000 889.5, filed Feb. 3, 2018 and DE 10 2018 003061.0, filed Apr. 14, 2018; the prior applications are herewithincorporated by reference in their entireties.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to a method for operating an electronicconsumption data module. The present invention furthermore relates to aconsumption data module.

Data transmission from metering units, such as e.g. sensors, consumptionmeters or components of smart home controllers, is becoming increasinglyimportant in everyday use. One important field of application ofmetering units is the use of intelligent consumption meters, also knownas smart meters. These are normally consumption meters incorporated intoa supply network, e.g. for energy, power, gas or water, which indicateactual consumption to the respective connection user and use acommunication network to transmit the consumption data to the provider.Intelligent consumption meters offer the advantage that manual meterreadings are no longer required and shorter-term billing can beimplemented by the provider according to actual consumption.Shorter-term reading intervals in turn enable a more accurate linkagebetween end customer tariffs and the development of trading prices forelectricity. The supply networks can also be substantially moreeffectively utilized.

Generic consumption meters normally transmit the accrued data in theform of data packets or data messages via a radio communication link,for example in the short range devices (SRD) or industrial, scientific,medical (ISM) frequency range. Data messages are normally made up of aplurality of data packets. The SRD or ISM frequency ranges offer theadvantage that they are licence-free and only a general permit from thefrequency authority is required for use.

Electronic consumption meters with a radio transmitter for wireless datatransmission are frequently used for walk-in, walk-by, drive-by orfly-by reading. For this purpose, the metering devices are read by amobile radio receiver by customer service personnel from a vehicle(drive-by) or on foot (walk-by) without having to enter the building. Inthe case of intelligent consumption meters, energy consumption, on theone hand, since these meters are mainly battery-controlled and areintended to have the longest possible maintenance intervals, andoperational reliability, on the other hand, are of decisive importance.In the above-mentioned reading methods, radio messages are frequentlytransmitted throughout the entire year, the messages being very short inorder to save energy so that a frequent transmission over a long timeperiod is possible.

Intelligent metering infrastructures are increasingly used to recordconsumption data. In these metering infrastructures (consumption datarecording systems), the consumption meters represent the terminaldevices by means of which consumption data are captured at the meteringpoints. The metering data are transmitted digitally from the consumptionmeters to a higher-level management system or head-end system. Thehead-end system manages the consumption data and communicates with theconsumption meters. An intelligent metering infrastructure can comprisea large number of consumption meters. A simultaneous directcommunication connection from all consumption meters to the head-endsystem is therefore often not possible as sufficient communication meansare not available or the transmission bandwidths are too narrow.Data-collecting apparatuses, referred to as data collectors, are used sothat the data recorded and transmitted by the consumption meters cannevertheless be transmitted as reliably and loss-free as possible to thehead-end system. The data collectors are arranged in the communicationpath between the consumption meters and the head-end system. Theycollect the consumption data transmitted by the consumption meters on acommunication path and act as buffer memories until the consumption datastored by them are retrieved by the head-end system. The data collectorscan furthermore perform additional tasks, such as, for example, carryingout status queries in the consumption meters and providing theconsumption meters with information and program codes, such as, forexample, firmware and software updates and communication schedules. Theconsumption meters can be configured in this metering infrastructure viaa radio communication link using a radio key.

In published, non-prosecuted German patent application DE 10 2015 107210 A1, a method and an interface device are described for transmittingmetering values from a consumption amount meter via a radio interface inwhich different coupling keys or reading keys are provided for differentuser profiles. Different access authorizations can be allocated to theuser profiles in the interface device. However, the user profiles onlygrant different read rights in respect of the consumption quantitymeter. Write permissions or configuration facilities are not provided.The determination of a new coupling key is furthermore described.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a novel method foroperating a consumption data module, and also a consumption data module,in which an increased operational flexibility with reduced maintenanceintensity is enabled simultaneously with an advantageous energyefficiency.

According to the invention, a method is provided for operating anelectronic consumption data module. The consumption data are transmittedto a receiver and different keys are provided for different softwareauthorizations, wherein command authorizations are defined in acharacterizing manner as software authorizations in the consumption datamodule.

In encryption technology or in cryptography, a key is a variable valuewhich is used with an algorithm, for example in order to encrypt ordecrypt a character string. Keys and/or certificates are furthermoreused for authentication, validation and/or control of privileged access.The keys that are used may, for example, be keys of an asymmetricencryption method, such as, for example, the RSA method. The RSA methodcan be used for encryption and/or for digital signing. A key pair whichconsists of a private key and a public key is used here. Data can bedecrypted and/or signed with the private key, whereas data can beencrypted and/or signatures can be verified with the public key. Theprivate key is kept secret for this purpose. A key may therefore also bea key pair.

If the command authorizations are defined by the software authorizationsin the consumption data module, the user can only execute commandswithin the limits of his authorizations. Commands may, for example, beread requests, so that e.g. the network provider is given read access tomore detailed data than the end consumer. For commands with writerequests for configuration values, in particular for metrologicalcharacteristics, it is of particularly great importance in terms ofsecurity to verify the relevant software authorizations in theconsumption data module before said commands are executed.

The method is advantageously suitable for battery-operated, preferablylong-term-battery-operated consumption data modules. The implementationof different software authorizations on a battery-operated system, inparticular on an embedded system, presents a particular challenge due tothe limited facilities of the consumption data module. There isadvantageously no resulting increase in the energy consumption in theconsumption data module due to the method.

The facility expediently exists to protect the metrologicalcharacteristics of the consumption data module by a softwareauthorization.

The metrological characteristics can expediently comprise the followingcharacteristics individually or in combination: gauging, calibrationand/or adjustment. Consumption meters normally have a metrological unitwhich records the flow rate of the medium, e.g. water, power or gas andoutputs a value for the flow rate according to its calibration.Calibration designates the determination of the relationship between theoutput values of the metrological unit and the associated values of ametered quantity defined by normals under predefined conditions. Anormal is a metrological reference item, a reference material or aprecise metering device which serves to calibrate other meteringdevices. Normals with the highest accuracy are referred to as primarynormals which, according to the internationally valid definition, areaffected by the lowest possible uncertainty according to the currentprior art. As a result, units of the international system of units (Sc)are uniformly available worldwide and thus form the legally bindingbasis in legal metrology for the corresponding physical quantity.Consumption meters or their metrological units are calibrated in orderto ensure compliance with legal requirements in commercial transactions.Calibration is the checking prescribed by the legislator for compliancewith the fundamental legal calibration regulations, such as e.g. thecalibration error limits. Calibrations are carried out in the FederalRepublic of Germany by the calibration offices and state-recognizedinspection bodies. A calibration is therefore a legally prescribedcalibration of the metering device which can be referenced againstnational standards. In the adjustment, an intervention is performed onthe consumption data module in order to set the latter to target values.The target values are predefined by means of a normal. A matching isperformed on the consumption data module, for example via an adjustmentscrew or via electrical adjustment facilities. The adjustment thereforerepresents a permanent intervention in the consumption data module.

The metrological characteristics of the consumption data module canadvantageously be stored in a metrological unit in the consumption datamodule. This metrological unit can be protected by correspondinghardware device security and is, for example, sealed by the calibrationoffice. Access to the metrological characteristics of the consumptiondata module is advantageously no longer protected exclusively by acorresponding hardware device security, but can furthermore be regulatedby software authorizations. It is furthermore also expediently possibleto differentiate between individual users of the consumption datarecording device through software authorizations. Possible user groupsare e.g., the end consumer, the metering point operator, the networkprovider, the technical service, the manufacturer and/or the calibrationauthority.

It is particularly expedient if the software authorizations comprisewrite permissions. This offers the facility to define the writepermissions individually for each user. The end consumer is expedientlygranted, for example, no write permissions in respect of the consumptiondata module, but only read rights. Write permissions can be granted tothe metering point operator, the network provider, the technical serviceand/or the calibration authority, wherein these write permissions may inturn be configured with differing scope. Write permissions for lesscritical functions, such as e.g. the setting of the transmissionintervals for the consumption data, can be granted to a plurality ofuser groups. Conversely, critical functions, such as, for example, theallocation of software authorizations to users, are reserved for highlytrusted user groups only. The manufacturer, for example, and/or thecalibration authority can be cited as trusted user groups. Access to themetrological characteristics of the consumption data module isexpediently available to the trusted user groups only.

A radio communication system, a wired and/or an optical communicationsystem is/are expediently provided as a communication system. The use ofsoftware authorizations is not restricted by the communication systemtype. The key for a specific authorization, such as, for example, theclearing of alarms, is independent from the communication system and cantherefore be used via any given communication interface. An opticalcommunication system can be provided e.g., for local communications,i.e. communications directly on the consumption data module. A radiocommunication system and/or a wired system, such as, for example, anM-bus interface, can be used for remote access to the consumption datamodule. Heightened security requirements can be imposed on theconsumption data module through the remote access facility via a radiolink, e.g. via wireless M-Bus. The use of radio keys to securetransmissions via a radio link is known. However, the known radio keysoffer no separate protection for the data transmitted via a radio linkor the configuration data themselves. Furthermore, commands to beexecuted in the consumption data module are not specifically authorized,so that, with knowledge of the radio key, all data and every command cangenerally be accessed in the consumption data module.

At least one key can advantageously be used to secure the radiotransmission. The need for a separate radio key can thus be eliminated.The authorization for the radio transmission can be provided e.g. by thecorresponding key for the software authorizations. The key for securingthe radio transmission can be distinguished from known radio keys sinceit regulates not only access via a radio link, but also internal accessto different functions or lower hierarchical levels.

At least one key for the software authorizations can also be expedientlyused to secure the data or configuration data during the radiotransmission. Configuration data designate any type of data which aregenerated and managed by an application. Configuration data maycomprise, for example, profiles, user data, settings, status and/orlogs. The key can be used, for example, for the coding and decoding of acryptographic encryption method.

At least one key for the software access authorization can be notifiedselectively to an information recipient. The information recipient canadvantageously be a highly trusted party. It is particularly appropriateif the key for the software access authorization in respect of themetrological characteristics is known to the relevant calibrationauthority and/or a comparable neutral body. Alternatively, it is alsopossible for the key for the software access authorization in respect ofthe metrological characteristics to be known exclusively to the relevantcalibration authority and/or a comparable neutral body. The legalcompliance of the calibration in the consumption data module can thus beguaranteed in a simple manner.

If a command is transmitted to the consumption data module without a keyproviding authorization for this command, the command is expediently notexecuted. It is thereby ensured that only commands originating from atrusted source are executable.

The consumption data module can advantageously generate an error signalin the event of an unauthorized command. If, for example, themetrological characteristics of the consumption data module are accessedwith a non-authorizing key, an error can be transmitted back with themessage that no sufficient authorization has been provided.

A manipulation of the metrological data can be proven in a simple mannerby recording and storing an unauthorized access to metrological data,particularly by storing it in a non-erasable memory. The non-erasablememory may, for example, be a calibration logbook. The unauthorizedaccess to metrological data can be indicated by the consumption datamodule, for example by a symbol, e.g. a balance symbol, in the displayand/or by a status bit in a radiotelegram from which the manipulation isrecognizable, even after a long time, e.g. after one year.

The consumption data module can expediently have an individualidentifier. The consumption data module can thereby be distinguishedfrom other consumption data modules.

At least one key from the group of keys can advantageously be valid fora software authorization in the case of an individual identifier of aconsumption data module. In the case of a different consumption datamodule with a different identifier, the key can have no validity so thatno software authorizations are granted in respect of this secondconsumption data module by the key of the first consumption data module.The number of possible keys per consumption data module for softwareauthorizations is not restricted.

In one design, for example, five individual keys can be provided perconsumption data module. One of these keys could be used, for example,to secure the radio transmission, wherein four keys are used forsoftware authorizations.

In the case of a frequently repeated transmission of consumption datawith the same key, the key could be determined by an attacker by meansof a sufficiently high number of intercepted consumption data. Thevalidities of the keys for software authorizations can expediently betime-limited in order to prevent an attack on a key. It is furthermorepossible, for example, for software authorizations to be granted to akey on different consumption data modules. The key valid for a pluralityof consumption data modules could have a time-limited validity for thispurpose so that the common key is periodically renewed, for example oncea quarter. A common software authorization of this type could be a clockservice.

Since the scope of the software authorization for a key is individuallyconfigurable, individually differing rights can easily be granted todifferent users or user groups on the consumption data module.

The consumption data module can expediently be a consumption meter or aconsumption data radio module. A consumption data radio module may, forexample, be a radio module which transmits meter data, in particularconsumption data. Different keys are provided for different softwareauthorizations in the consumption data radio module.

Secondarily, the present invention claims a consumption data module. Theconsumption data module according to the invention comprises a memory, acontrol and/or regulating unit and also communication means for theconsumption data transmission. Different keys are furthermore providedfor different software authorizations, wherein command authorizationsare defined in a characterizing manner in the consumption data module assoftware authorizations and the consumption data module is operable, inparticular, by a method according to at least one of the method claims.

The consumption data module can advantageously comprise a battery,preferably a battery designed for long-term operation. The consumptiondata module can thus be operated as an embedded system independentlyfrom an external energy source. A battery designed for long-termoperation can expediently be used in order to guarantee that the systemcan be operated autonomously and, for example, in order to lengthen thenecessary maintenance intervals.

The facility advantageously exists for the consumption data model tocomprise a metrological metering unit to record the consumption data.The metrological metering unit can expediently be protected by asoftware authorization.

The metrological characteristics of the consumption data module canexpediently be stored in the metrological metering unit. Knownconsumption data modules, such as e.g. consumption meters, protectaccess to the metrological metering unit by means of a hardwareprotection and/or a calibration seal. Access to the metrologicalmetering unit can advantageously be protected according to the inventionby means of a software protection. In addition to hardware access, forexample, a facility for software access to the metrologicalcharacteristics of the consumption data module can be provided.

In one alternative design, access to the metrological metering unit canbe protected exclusively by means of software protection. Hardwareaccess can already be prevented e.g. through the manufacturing process,whereby, for example, a hardware encapsulation of the metrologicalmetering unit takes place during production. In this design, themetrological characteristics and therefore the calibration of theconsumption data module can be accessed only via a softwareauthorization.

The consumption data module can expediently comprise a module formanaging the keys for the software authorizations. This module can, forexample, be connected downstream of the communication means and cantherefore monitor and control access to the remaining modules of theconsumption data module. Access to the memory, the control and/orregulating unit or the processor and also the metrological metering unitcan thus e.g. be regulated. The module for managing the keys canpreferably be configured as a hardware and/or software component.

The communication means can advantageously comprise radio communicationdevices, wired communication devices and/or optical communicationdevices.

The facility furthermore exists to use the keys to secure the radiotransmission. Such keys can thus comprise the functions of radio ortransport keys. Radio or transport keys serve primarily to protect thedata transport via radio paths.

Alternatively or additionally, the facility exists to use the keys tosecure the configuration data. Access to these data in a consumptiondata module can advantageously be regulated and managed via the keys forthe software authorization. Read and/or write permissions, for example,in respect of specific configuration data can be granted or denied to auser or a user group.

The facility expediently exists to notify the key for the softwareaccess authorization selectively to an information recipient. Access bymeans of keys for the software authorization to the metrologicalmetering unit of the consumption data module can expediently be grantedto the relevant calibration authority and/or a comparable neutral body.Alternatively, access can be granted exclusively to the relevantcalibration authority and/or a comparable neutral body.

The consumption data module can advantageously have an individualidentifier. One consumption data module can be distinguished from otherconsumption data modules by the individual identifier. If theconsumption data module jointly transmits its identifier during radiotransmissions, the data originating from this consumption data module,in particular consumption data, can be allocated to the correctconsumption data module. The identifier can be stored in thecommunication module, as a result of which outgoing radio transmissionscan be provided with the identifier. In the case of receivedtransmissions, a check can be carried out in the communication module,e.g. using the jointly transmitted identifier of the target consumptiondata module, to determine whether these messages are intended for therespective consumption data module. The facility furthermore exists forthe key management module to check the jointly transmitted identifierfor authorizations along with the key for the command authorization. Ifthe key that is used is not authorized for the respective identifier ofthe consumption data module, the key can be identified as invalid ande.g., the command execution can be refused.

The security of the consumption data module can be increased in a simplemanner by imposing a time limit on the validities of the keys forsoftware authorizations. On expiry of the validity of a key, a new keycan be generated, for example, in the consumption data module, forexample in the key management module. An algorithm can be stored, forexample, by means of which a new valid key can be calculated. Thefacility exists, for example, to generate a new key on the basis of thehitherto valid key. Additionally or alternatively, the facility exists,for example, to generate a new key outside the consumption data module,preferably in a secure environment. The key generated in this wayoutside the consumption data module can be transferred, for example,securely onto the consumption data module. This is subject to thecondition that the instance outside the consumption data module has thenecessary generation rights and/or the necessary access rights in theconsumption data module to transmit the new key.

The scope of the software authorization for the key can advantageouslybe individually configurable. Information indicating which key has whichauthorizations, for example, can be stored in the key management module.The key management module can thus decide, for example, which requests,in particular command requests, are granted or refused.

The memory can expediently comprise a non-erasable memory. Thenon-erasable memory can be configured, for example, as a calibrationlogbook.

The consumption data module can advantageously be a consumption meter orconsumption data radio module.

Other features which are considered as characteristic for the inventionare set forth in the appended claims.

Although the invention is illustrated and described herein as embodiedin a method for the secure operation of an electronic consumption datamodule and consumption data module, it is nevertheless not intended tobe limited to the details shown, since various modifications andstructural changes may be made therein without departing from the spiritof the invention and within the scope and range of equivalents of theclaims.

The construction and method of operation of the invention, however,together with additional objects and advantages thereof will be bestunderstood from the following description of specific embodiments whenread in connection with the accompanying drawings.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

FIG. 1 is a simplified schematic representation of softwareauthorizations in two consumption data modules according to theinvention;

FIG. 2 is a highly simplified block diagram of one design of aconsumption data module as a consumption meter, and also its components;and

FIG. 3 is a flow diagram for the software authorizations in theconsumption data module.

DETAILED DESCRIPTION OF THE INVENTION

Referring now to the figures of the drawings in detail and first,particularly to FIG. 1 thereof, there is shown a simplified schematicrepresentation of two designs of consumption data modules as consumptionmeters 1 a-1 b which have a plurality of different softwareauthorizations. By way of example, the software authorizations are“read”, “command”, “write” and “metrology”. “Read” stands for the readaccess to the data of the consumption meter 1 a or 1 b. The readabledata can comprise consumption data, configuration data and/or otherconsumption-meter-related data. The facility furthermore exists toconfigure further authorization levels within the read access to theconsumption meters 1 a-1 b. Only read access to the consumption data,for example, may be of interest to the end consumer. The end consumercould adjust his consumption on the basis of the consumption data inorder to reduce his expenditure where possible. Conversely, read accessto the configuration data of the consumption meter 1 a-1 b which couldcomprise, for example, the transmission intervals for transmission to ahierarchically superior data collector, may be of little interest to theend consumer, so that these rights cannot normally be granted to the endconsumer.

The “command” software authorization relates to rights for the commandauthorization in the consumption meters 1 a-1 b. The “write” softwareauthorization relates to write access to the consumption meters 1 a-1 b.Further authorization levels may exist within the write access rights. Awrite permission in the configuration data of the consumption meter 1a-1 b may relate, for example, to the transmission intervals for theconsumption data and/or the format of the consumption data themselves.In FIG. 1, “metrology” as a software authorization level relates to theaccess authorization in respect of the metrological characteristics ofthe consumption meter. The access rights can comprise read rights whichpermit, for example, the readout of the current calibration of theconsumption meter. The access rights can furthermore comprise writepermissions which allow, for example, changes to the calibration of theconsumption meter. Such interventions in ongoing operation are the solepreserve of the relevant calibration authority and/or a comparableneutral body. The calibration authority can calibrate the consumptionmeter by adjusting the calibration.

The keys S₁ and Sa₂-Sb₄ authorize access to different functions in theconsumption meters 1 a-1 b. S₁ thus enables read access in bothconsumption meters 1 a and 1 b. Since the consumption meters 1 a-1 bhave individual identifiers and the authorizations of the keys Sa₂-Sb₄are dependent on the individual identifier, the keys Sa₂-Sa₄ allow noread access in the second consumption meter 1 b. The keys Sb₂-Sb₄similarly grant access to the second consumption meter 1 b only and notto the first consumption meter 1 a. However, the keys Sa₂-Sa₃additionally have command authorization rights or write permissions onthe consumption meter 1 a, The key S₁ can be provided, for example, foran end consumer with a plurality of consumption meters, so that the endconsumer can read out both consumption meters 1 a-1 b with one key S₁,The keys Sa₂ and Sa₃ or Sb₂ and Sb₃ can be provided on the basis of thecommand authorization rights or write permissions, e.g., for themetering point operator, the network provider, the technical serviceand/or the manufacturer. The keys Sa₄ and Sb₄ are equipped with theadditional “metrology” right. The user with the key Sa₄ can, forexample, modify the calibration of the metrological metering unit 13 ofthe consumption meter 1 a. This facility to intervene in the coresystems of the consumption meter 1 a is available to highly trustedusers only. Only the relevant calibration office or a comparable neutralbody is normally a trusted user of this type.

The keys Sa₂-Sa₄ thus grant access exclusively to functions of the firstconsumption meter 1 a, whereas the keys Sb₂-Sb₄ similarly enable accessexclusively to functions of the second consumption meter 1 b.Conversely, the keys Sa₂ Sa₄ are excluded from access to the secondconsumption meter 1 b and the keys Sb₂-Sb₄ are similarly excluded fromaccess to the first consumption meter 1 a.

FIG. 2 shows a highly simplified block diagram of one design of theconsumption data module as a consumption meter 1. The consumption meter1 contains an electronic module 10 and a connection housing 8. Theelectronic module 10 in turn contains an antenna 2, a communicationmodule 11, a key management module 12, a metrological metering unit 13,a memory 14, a processor 15 and a battery 16. The consumption meter 1shown is a water meter configured as an ultrasonic flow meter. Theultrasonic metering path 7 is accommodated in the connection housing 8.The connection housing 8 has an input 3 and an output 4 for the waterconnection. The direction of flow of the flowing medium is indicatedwith the arrows at the input 3 and output 4. The metering device of theconsumption meter 1 is shown by way of example with two ultrasonictransducers 5 a and 5 b. The path of the ultrasonic signals is divertedon the reflectors 6 a and 6 b to a U-shaped metering path 7. One part ofthe metering path 7 runs parallel to the direction of flow of theflowing medium. The components in the electronic module 10 are coupledto the components of the connection housing 8 via the connection of themetrological metering unit 13 to the ultrasonic transducers 5 a, 5 b.The metrological metering unit 13 records the flow speed or the volumeflow of the medium according to the calibration.

The key management module 12 is connected downstream of thecommunication module 11. Requests via a radio link are received by thecommunication module 11 and forwarded to the key management module 12.The key management module 12 monitors the keys or the authorizations ofthe requests which are made to the consumption meter 1. The memory 14contains a non-erasable memory 14 a which is designed here as acalibration log book. Unauthorized access to the metrological data ormanipulations and manipulation attempts on the metrological data arenoted and stored in this non-erasable memory 14 a.

FIG. 3 shows a flow diagram for the software authorizations in onedesign of a consumption module as a consumption meter wherein differentkeys S_(1-n) are used. On reception of a message via a radio link, thevalidity of the radio key is verified in the consumption meter 1 in afirst step. If the key is already invalid, no connection is set up tothe distant station. The radio key may simultaneously be a key S_(1-n)for a software authorization. Depending on the type of data which areintended to be accessed in the consumption meter 1, a distinction ismade, for example, between consumption data, configuration data andmetrological data. Consumption data are, for example, the recordedconsumptions, e.g. the consumed water volume in the case of a watermeter. Configuration data may comprise, for example, settings fortransmission intervals of the consumption data. Metrological datadescribe e.g. the calibration or gauging of the consumption meter. In anext step, read or write permissions for the selected data type areverified on the basis of the key S_(1-n) used for the request. If readrights exist, the desired data are output; in the case of writepermissions, the jointly transmitted data or commands are input.Conversely, if no authorization for the desired data type orinsufficient read or write permissions exist, the request is not carriedout. In this case, an error signal is then generated and transmittedback via a radio link.

The following is a summary list of reference numerals and thecorresponding structure used in the above description of the invention:

-   1,1 a,1 b Consumption data module-   2 Antenna-   3 Input-   4 Output-   5 a, 5 b Ultrasonic transducer-   6 a, 6 b Reflector-   7 Metering path-   8 Connection housing-   10 Electronic module-   11 Communication module-   12 Key management module-   13 Metrological metering unit-   14 Memory-   14 a Non-erasable memory-   15 Processor-   16 Battery-   S_(1-n) Key-   S₁ Key for read rights-   S₂ Key for command authorizations-   S₃ Key for write permissions-   S₄ Key for metrological characteristics-   S₅ Key for securing the radio transmission-   S₆ Key for securing the configuration data

The invention claimed is:
 1. A method for operating an electronicconsumption data meter, configured as an ultra sonic flow meter, whichcomprises the steps of: transmitting consumption data via acommunication system to a receiver; providing different keys fordifferent software authorizations of the electronic consumption datameter, wherein command authorizations are defined as the softwareauthorizations in the electronic consumption data meter; protectingmetrological characteristics of the electronic consumption data meter bya software authorization, which have write permissions, and contain thefollowing characteristics individually or in combination: gauging,calibration and/or adjustment, the write permissions of the softwareauthorization allowing changes to a calibration of the electronicconsumption data meter: and protecting the metrological characteristicsdisposed in a metrological metering unit by a hardware encapsulation sothat the calibration of the electronic consumption data module isaccessed only via the software authorization.
 2. The method according toclaim 1, which further comprises: selecting the communication systemfrom the group consisting of a radio communication system, a wiredcommunication system and an optical communication system; and using atleast one key to secure a radio transmission.
 3. The method according toclaim 1, which further comprises using at least one key to secureconfiguration data.
 4. The method according to claim 1, wherein at leastone key for software access authorization is notified selectively to aninformation recipient.
 5. The method according to claim 1, wherein acommand transmitted to the electronic consumption data meter without akey providing authorization for the command is not executable by theelectronic consumption data meter, and the electronic consumption datameter generates an error signal in an event of an unauthorized command.6. The method according to claim 1, which further comprises recordingand storing an unauthorized access to metrological data.
 7. The methodaccording to claim 1, wherein the electronic consumption data meter hasan individual identifier, and at least one key from a group of keys isvalid for software authorization in a case of an individual identifierof the electronic consumption data meter.
 8. The method according toclaim 1, wherein validities of the keys for the software authorizationsare time-limited.
 9. The method according to claim 1, wherein a scope ofthe software authorization for a key is individually configurable. 10.The method according to claim 1, wherein the electronic consumption datameter is a consumption data radio meter.
 11. A consumption data meter,configured as an ultra sonic flow meter, comprising: a memory; a controland/or regulating processor; a metrological meter for recordingconsumption data; a communication system fora consumption datatransmission, and different keys are provided for different softwareauthorizations; ultrasonic transducers connected to said metrologicalmeter; command authorizations are defined as the software authorizationsin the consumption data meter; said metrological meter being protectedby a software authorization, containing write permissions. wherein it isprovided that metrological characteristics of the consumption data meterare stored in said metrological meter and contain at least one of thefollowing characteristics: gauging, calibration and/or adjustment, thewrite permissions of the software authorization allowing changes to acalibration of the consumption data meter and said metrological meterbeing protected by a hardware encapsulation so that the calibration ofthe consumption data module is accessed only via the softwareauthorization.
 12. The consumption data meter according to claim 11,further comprising a battery.
 13. The consumption data meter accordingto claim 11, further comprising a module for managing the keys for thesoftware authorizations, said module configured as a hardware and/orsoftware component.
 14. The consumption data meter according to claim11, wherein said communication system has radio communication means, awired communication means and/or an optical communication means, and atleast one key is used to secure a radio transmission.
 15. Theconsumption data meter according to claims 11, wherein at least one ofsaid keys is used to secure configuration data.
 16. The consumption datameter according to claim 11, wherein at least one of said keys for asoftware access authorization is notified selectively to an informationrecipient.
 17. The consumption data meter according to claim 11, furthercomprising an individual identifier.
 18. The consumption data meteraccording to claim 11, wherein validities of the keys for the softwareauthorizations are time-limited.
 19. The consumption data meteraccording to claim 11, wherein a scope of a software authorization for akey is individually configurable.
 20. The consumption data meteraccording to claim 11, wherein said memory has a non-erasable memory.21. The consumption data meter according to claim 11, wherein theconsumption data meter is a consumption data radio meter.